enchive icon indicating copy to clipboard operation
enchive copied to clipboard

Published 20 hours ago verified publisher icon skeeto

round filesize up

Open rain-1 opened this issue 6 years ago • 1 comments

I think you can calculate the exact size of a file based on the encrypted version. This could leak information in some situations. Could be solved by rounding up to a 1MB boundary.

rain-1 avatar Jul 12 '18 09:07 rain-1

Yup, this is completely trivial. Enchive adds exactly 72 bytes to the original file size, some header and some footer (MAC). It doesn't try to compress the input or otherwise mask the input size.

This would be an issue when encrypting live packets of data — e.g. instant messages, text messages, VoIP. However, the ultimate purpose of Enchive is long-term file archival, so I'm not really concerned about this.

(If someone was super paranoid about this, they could append (i.e. with tar) a random quantity of bytes to the input using a wrapper script.)

skeeto avatar Jul 12 '18 10:07 skeeto